[Rspamd-Users] match rules to base64 encoded body
Emanuel Gonzalez
emanuel_gonzalez at live.com.ar
Wed Jul 10 12:34:57 UTC 2019
Hi all,
lately i see more and more mails using base64 encoding for the body of
the mails, from different senders
example:
Return-path: <KeithHernandezoepci at safaricombusiness.co.ke>
Envelope-to: x
Delivery-date: Tue, 09 Jul 2019 02:55:34 -0300
Received: from [197.248.190.170] (helo=197-248-190-170.safaricombusiness.co.ke)
by x with esmtp (Exim 4.89)
(envelope-from <KeithHernandezoepci at safaricombusiness.co.ke>)
id 1hkj68-0003fx-Rx
for x; Tue, 09 Jul 2019 02:55:34 -0300
Received: from [186.42.81.129] by public.micromail.com.au with QMQP; Mon, 08 Jul 2019 21:44:48 -0700
Received: from unknown (181.182.96.40)
by mail.webhostings4u.com with SMTP; Mon, 08 Jul 2019 21:33:01 -0700
Received: from unknown (70.161.11.53)
by external.newsubdomain.com with QMQP; Mon, 08 Jul 2019 21:26:36 -0700
Message-ID: <0D533B0C.FA4D4FE3 at safaricombusiness.co.ke>
Date: Mon, 08 Jul 2019 21:10:02 -0700
Reply-To: "Valerie" <KeithHernandezoepci at safaricombusiness.co.ke>
From: "Valerie" <KeithHernandezoepci at safaricombusiness.co.ke>
User-Agent: Opera/7.02 (Windows NT 5.1; U)
MIME-Version: 1.0
To: "Valerie" <x>
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: base64
X-Spam-Score:
X-Spam-Score: 17.7
X-Spam-Score-Int: 177
X-Spam-Bar: +++++++++++++++++
X-Spam-Report: Action: no action
Symbol: HAS_REPLYTO(0.00)
Symbol: MX_INVALID(0.50)
Symbol: HFILTER_HELO_NORES_A_OR_MX(0.30)
Symbol: HFILTER_HELO_IP_A(1.00)
Symbol: RCVD_IN_SORBS(0.00)
Symbol: RCVD_COUNT_THREE(0.00)
Symbol: TO_DN_ALL(0.00)
Symbol: MIME_BASE64_TEXT(0.10)
Symbol: RCVD_IN_BRBL(3.00)
Symbol: SUBJECT_ENDS_EXCLAIM(0.00)
Symbol: RCVD_NO_TLS_LAST(0.10)
Symbol: FROM_EQ_ENVFROM(0.00)
Symbol: MIME_TRACE(0.00)
Symbol: R_DKIM_NA(0.00)
Symbol: ASN(0.00)
Symbol: MID_RHS_MATCH_FROM(0.00)
Symbol: ARC_NA(0.00)
Symbol: R_SPF_FAIL(3.00)
Symbol: REPLYTO_EQ_FROM(0.00)
Symbol: FROM_HAS_DN(0.00)
Symbol: TO_MATCH_ENVRCPT_ALL(0.00)
Symbol: DMARC_NA(0.00)
Symbol: RCPT_COUNT_ONE(0.00)
Symbol: RBL_VIRUSFREE_BOTNET(2.00)
Symbol: MIME_HTML_ONLY(0.20)
Symbol: IP_SCORE(0.01)
Symbol: RBL_SENDERSCORE(2.00)
Symbol: HFILTER_HOSTNAME_UNKNOWN(2.50)
Symbol: RCVD_IN_BL_SPAMCOP_NET(3.00)
Message: (SPF): spf fail
Message-ID: 0D533B0C.FA4D4FE3 at safaricombusiness.co.ke
X-Spam-Threshold: 50
X-Spam-Status: Yes
Subject: ****SPAM**** For a long time, I was preparing this, but it was worth it to see your reaction... Look!
PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K
PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgYm9yZGVyPSIwIiBhbGlnbj0iY2Vu
dGVyIiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6IDE4cHgiPg0KPHRib2R5
Pg0KPHRyPg0KPHRoIGhlaWdodD0iNzkiIHNjb3BlPSJjb2wiPkxvb2tpbmcgZm9yIGhvdCBnaXJs
cyBhbmQgd29tZW5zPzxoZWFkZXI+PC9oZWFkZXI+PC90aD4NCjwvdHI+DQo8dHI+DQo8dGQgaGVp
Z2h0PSI2MyIgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0iI0MxMDAwMyIgc3R5bGU9ImNvbG9yOiAj
RkZGRkZGOyBmb250LXNpemU6IDI0cHg7IGZvbnQtZmFtaWx5OiBBcmlhbCI+V2FudCBzZXggdG9u
aWdodCwgYW5kIG5ldyBwdXNzeSBldmVyeSBkYXk/PHRhYmxlIHdpZHRoPSIwMSUiIGJvcmRlcj0i
MCI+PHRib2R5Pjx0cj48dGQ+PC90ZD48L3RyPjwvdGJvZHk+PC90YWJsZT48L3RkPg0KPC90cj4N
Cjx0cj4NCjx0ZCBoZWlnaHQ9IjEzMyIgYWxpZ249ImNlbnRlciI+PHA+SGVyZSB5b3UgY2FuIGZp
bmQgYW55IGdpcmwgZm9yIHNleCEgVGhleSBhbGwgd2FudCB0byBmdWNrLjx0YWJsZSB3aWR0aD0i
MDclIiBib3JkZXI9IjAiPjx0Ym9keT48dHI+PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PC90
cj48L3Rib2R5PjwvdGFibGU+PC9wPg0KPHA+PGEgaHJlZj0iaHR0cDovL2hvdGV2ZWx5bi5zdSIg
c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbDsgZm9udC1zaXplOiAxOHB4OyBjb2xvcjogIzNGNTBG
QzsiPmh0dHA6Ly9ob3RldmVseW4uc3U8L2E+PC9wPjx0YWJsZSB3aWR0aD0iNTQlIiBib3JkZXI9
IjAiPjx0Ym9keT48dHI+PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PC90cj48
L3Rib2R5PjwvdGFibGU+DQo8cD5EbyBub3QgYmUgc2h5LCBjb21lIGFuZCBjaG9vc2UhPC9wPjxv
bD48L29sPg0KPHA+Rm9yIGV4YW1wbGUsIHJpZ2h0IG5vdyB0aGVzZSBnaXJscyAgPHN0cm9uZz5G
Uk9NIFlPVVIgQ0lUWTwvc3Ryb25nPiBhcmUgcmVhZHkgdG8gZnVjay4gV2FudCBvdGhlcnM/IENv
bWUgdG8gb3VyIHNpdGUhID09PiA8YSBocmVmPSJodHRwOi8vaG90ZXZlbHluLnN1IiBzdHlsZT0i
Zm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6IDE4cHg7IGNvbG9yOiAjM0Y1MEZDOyI+aHR0
cDovL2hvdGV2ZWx5bi5zdTwvYT48L3A+DQo8cD48L3A+PC90ZD4NCjwvdHI+DQo8L3Rib2R5Pg0K
PC90YWJsZT48dGFibGUgd2lkdGg9IjcyJSIgYm9yZGVyPSIwIj48dGJvZHk+PHRyPjx0ZD48L3Rk
Pjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPg0KPHRhYmxlIHdpZHRoPSI2MDAiIGJvcmRl
cj0iMCIgYWxpZ249ImNlbnRlciI+DQo8dGJvZHk+DQo8dHI+DQo8dGg+PGEgaHJlZj0iaHR0cDov
L2hvdGV2ZWx5bi5zdSI+PGltZyBzcmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0
cy8yMDE4LTExL2dydWRhc3R5ZS1kZXZ1c2hraS1pei1zb2NpYWxueWgtc2V0ZXktNTUtZm90b18z
NC5qcGciIHdpZHRoPSIyODAiIGFsdD0icGhvdG8gb25lIi8+PC9hPjwvdGg+DQo8dGg+PGEgaHJl
Zj0iaHR0cDovL2hvdGV2ZWx5bi5zdSI+PGltZyBzcmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBs
b2Fkcy9wb3N0cy8yMDE4LTExL2dydWRhc3R5ZS1kZXZ1c2hraS1pei1zb2NpYWxueWgtc2V0ZXkt
NTUtZm90b180OC5qcGciIHdpZHRoPSIyODAiIGFsdD0icGhvdG8gdHdvIi8+PC9hPjwvdGg+DQo8
L3RyPg0KPHRyPg0KPHRkPjx0YWJsZSB3aWR0aD0iNjElIiBib3JkZXI9IjAiPjx0Ym9keT48dHI+
PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PC90cj48L3Rib2R5PjwvdGFibGU+PC90ZD4NCjx0
ZD48ZGl2PjwvZGl2PjwvdGQ+DQo8L3RyPg0KPHRyPg0KPHRkPjxhIGhyZWY9Imh0dHA6Ly9ob3Rl
dmVseW4uc3UiPjxpbWcgc3JjPSJodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAx
OC0xMS9kZXZ1c2hraS1zLWtyYXNpdm95LWdydWR5dS00MC1mb3RvXzIuanBnIiB3aWR0aD0iMjgw
IiBhbHQ9InBob3RvIHRocmVlIi8+PC9hPjwvdGQ+DQo8dGQ+PGEgaHJlZj0iaHR0cDovL2hvdGV2
ZWx5bi5zdSI+PGltZyBzcmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8yMDE4
LTExL2RldnVzaGtpLXMta3Jhc2l2b3ktZ3J1ZHl1LTQwLWZvdG9fMTUuanBnIiB3aWR0aD0iMjgw
IiBhbHQ9InBob3RvIGZvdXIiLz48L2E+PC90ZD4NCjwvdHI+DQo8L3Rib2R5Pg0KPC90YWJsZT4N
CjxwPjx1bD48cD48L3A+PC91bD4gPC9wPg0KPHRhYmxlIHdpZHRoPSI2MDAiIGJvcmRlcj0iMCIg
YWxpZ249ImNlbnRlciI+DQo8dGJvZHk+DQo8dHI+DQo8dGQ+PGEgaHJlZj0iaHR0cDovL2hvdGV2
ZWx5bi5zdSI+DQo8dGFibGU+DQo8dHI+DQo8dGQgdmFsaWduPSJ0b3AiIHN0eWxlPSJiYWNrZ3Jv
dW5kOiB1cmwoaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTgtMTEvZGV2dXNo
a2ktcy1rcmFzaXZveS1ncnVkeXUtNDAtZm90b18xNi5qcGcpIG5vLXJlcGVhdCBjZW50ZXI7YmFj
a2dyb3VuZC1wb3NpdGlvbjogdG9wO2JhY2tncm91bmQtc2l6ZTogY292ZXI7Ij48IS0tW2lmIGd0
ZSBtc28gOV0+IDx2OnJlY3QgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwi
IGZpbGw9InRydWUiIHN0cm9rZT0iZmFsc2UiIHN0eWxlPSJtc28td2lkdGgtcGVyY2VudDoxMDAw
O2hlaWdodDo0MDBweDsiPiA8djpmaWxsIHR5cGU9InRpbGUiIHNyYz0iaHR0cDovLzI0LWluZm8u
aW5mby91cGxvYWRzL3Bvc3RzLzIwMTgtMTAvMTU0MDI0NTM5OF81N19iaWcuanBnIiAvPiA8djp0
ZXh0Ym94IGluc2V0PSIwLDAsMCwwIj4gPCFbZW5kaWZdLS0+PHA+PC9wPg0KPGRpdj4NCjxjZW50
ZXI+DQo8dGFibGUgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIiB3aWR0aD0iMjgwIiBo
ZWlnaHQ9IjQwMCI+DQo8dHI+DQo8dGQgdmFsaWduPSJtaWRkbGUiIHN0eWxlPSJ2ZXJ0aWNhbC1h
bGlnbjptaWRkbGU7dGV4dC1hbGlnbjpsZWZ0OyIgY2xhc3M9Im1vYmlsZS1jZW50ZXIiIGhlaWdo
dD0iNDAwIj48bGFiZWw+PC9sYWJlbD4gPC90ZD4NCjwvdHI+DQo8L3RhYmxlPg0KPC9jZW50ZXI+
DQo8L2Rpdj4NCjwhLS1baWYgZ3RlIG1zbyA5XT4gPC92OnRleHRib3g+IDwvdjpyZWN0PiA8IVtl
bmRpZl0tLT48L3RkPg0KPC90cj4NCjwvdGFibGU+PC9hPg0KPC90ZD4NCjx0ZD4NCjxhIGhyZWY9
Imh0dHA6Ly9ob3RldmVseW4uc3UiPg0KPHRhYmxlPg0KPHRyPg0KPHRkIHZhbGlnbj0idG9wIiBz
dHlsZT0iYmFja2dyb3VuZDogdXJsKGh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8y
MDE4LTEwLzE1NDAyNDUzNDhfcGphdG5pY2hueWVfZGV2dXNoa2lfODRfZm90b18zOC5qcGcpIG5v
LXJlcGVhdCBjZW50ZXI7YmFja2dyb3VuZC1wb3NpdGlvbjogdG9wO2JhY2tncm91bmQtc2l6ZTog
Y292ZXI7Ij48IS0tW2lmIGd0ZSBtc28gOV0+IDx2OnJlY3QgeG1sbnM6dj0idXJuOnNjaGVtYXMt
bWljcm9zb2Z0LWNvbTp2bWwiIGZpbGw9InRydWUiIHN0cm9rZT0iZmFsc2UiIHN0eWxlPSJtc28t
d2lkdGgtcGVyY2VudDoxMDAwO2hlaWdodDo0MDBweDsiPiA8djpmaWxsIHR5cGU9InRpbGUiIHNy
Yz0iaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTgtMDcvZGV2dXNoa2ktZm90
b2dyYWZpcnV5dXQtc2VieWEtcGVyZWQtemVya2Fsb20tNzAtZm90b180LmpwZyIgLz4gPHY6dGV4
dGJveCBpbnNldD0iMCwwLDAsMCI+IDwhW2VuZGlmXS0tPjx0YWJsZSB3aWR0aD0iNzMlIiBib3Jk
ZXI9IjAiPjx0Ym9keT48dHI+PHRkPjwvdGQ+PHRkPjwvdGQ+PHRkPjwvdGQ+PC90cj48L3Rib2R5
PjwvdGFibGU+DQo8ZGl2Pg0KPGNlbnRlcj4NCjx0YWJsZSBjZWxsc3BhY2luZz0iMCIgY2VsbHBh
ZGRpbmc9IjAiIHdpZHRoPSIyODAiIGhlaWdodD0iNDAwIj4NCjx0cj4NCjx0ZCB2YWxpZ249Im1p
ZGRsZSIgc3R5bGU9InZlcnRpY2FsLWFsaWduOm1pZGRsZTt0ZXh0LWFsaWduOmxlZnQ7IiBjbGFz
cz0ibW9iaWxlLWNlbnRlciIgaGVpZ2h0PSI0MDAiPjxvbD48cD48L3A+PC9vbD4gPC90ZD4NCjwv
dHI+DQo8L3RhYmxlPg0KPC9jZW50ZXI+DQo8L2Rpdj4NCjwhLS1baWYgZ3RlIG1zbyA5XT4gPC92
OnRleHRib3g+IDwvdjpyZWN0PiA8IVtlbmRpZl0tLT48L3RkPg0KPC90cj4NCjwvdGFibGU+PC9h
Pg0KPC90ZD4NCjwvdHI+DQo8dHI+DQo8dGQ+DQo8YSBocmVmPSJodHRwOi8vaG90ZXZlbHluLnN1
Ij4NCjx0YWJsZT4NCjx0cj4NCjx0ZCB2YWxpZ249InRvcCIgc3R5bGU9ImJhY2tncm91bmQ6IHVy
bChodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAxOC0xMS9kYXZheXRlLXZ6Z2x5
YW5lbS1jaHRvLXUtZGV2dXNoZWstcG9kLW1heWtveS0zMS1mb3RvXzkuanBnKSBuby1yZXBlYXQg
Y2VudGVyO2JhY2tncm91bmQtcG9zaXRpb246IHRvcDtiYWNrZ3JvdW5kLXNpemU6IGNvdmVyOyI+
PCEtLVtpZiBndGUgbXNvIDldPiA8djpyZWN0IHhtbG5zOnY9InVybjpzY2hlbWFzLW1pY3Jvc29m
dC1jb206dm1sIiBmaWxsPSJ0cnVlIiBzdHJva2U9ImZhbHNlIiBzdHlsZT0ibXNvLXdpZHRoLXBl
cmNlbnQ6MTAwMDtoZWlnaHQ6NDAwcHg7Ij4gPHY6ZmlsbCB0eXBlPSJ0aWxlIiBzcmM9Imh0dHA6
Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8yMDE4LTExL2dydWRhc3R5ZS1kZXZ1c2hraS1p
ei1zb2NpYWxueWgtc2V0ZXktNTUtZm90b18xNS5qcGciIC8+IDx2OnRleHRib3ggaW5zZXQ9IjAs
MCwwLDAiPiA8IVtlbmRpZl0tLT48b2w+PC9vbD4NCjxkaXY+DQo8Y2VudGVyPg0KPHRhYmxlIGNl
bGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgd2lkdGg9IjI4MCIgaGVpZ2h0PSI0MDAiPg0K
PHRyPg0KPHRkIHZhbGlnbj0ibWlkZGxlIiBzdHlsZT0idmVydGljYWwtYWxpZ246bWlkZGxlO3Rl
eHQtYWxpZ246bGVmdDsiIGNsYXNzPSJtb2JpbGUtY2VudGVyIiBoZWlnaHQ9IjQwMCI+PGxhYmVs
PjwvbGFiZWw+IDwvdGQ+DQo8L3RyPg0KPC90YWJsZT4NCjwvY2VudGVyPg0KPC9kaXY+DQo8IS0t
W2lmIGd0ZSBtc28gOV0+IDwvdjp0ZXh0Ym94PiA8L3Y6cmVjdD4gPCFbZW5kaWZdLS0+PC90ZD4N
CjwvdHI+DQo8L3RhYmxlPjwvYT4NCjwvdGQ+DQo8dGQ+DQo8YSBocmVmPSJodHRwOi8vaG90ZXZl
bHluLnN1Ij4NCjx0YWJsZT4NCjx0cj4NCjx0ZCB2YWxpZ249InRvcCIgc3R5bGU9ImJhY2tncm91
bmQ6IHVybChodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAxOC0xMC8xNTQwMjQ1
Mzk4XzU3X2JpZy5qcGcpIG5vLXJlcGVhdCBjZW50ZXI7YmFja2dyb3VuZC1wb3NpdGlvbjogdG9w
O2JhY2tncm91bmQtc2l6ZTogY292ZXI7Ij48IS0tW2lmIGd0ZSBtc28gOV0+IDx2OnJlY3QgeG1s
bnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIGZpbGw9InRydWUiIHN0cm9rZT0i
ZmFsc2UiIHN0eWxlPSJtc28td2lkdGgtcGVyY2VudDoxMDAwO2hlaWdodDo0MDBweDsiPiA8djpm
aWxsIHR5cGU9InRpbGUiIHNyYz0iaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIw
MTgtMTAvMTU0MDI0NTM4OV9lb2xtenV1MGRiYy5qcGciIC8+IDx2OnRleHRib3ggaW5zZXQ9IjAs
MCwwLDAiPiA8IVtlbmRpZl0tLT48dGFibGUgd2lkdGg9Ijc2JSIgYm9yZGVyPSIwIj48dGJvZHk+
PHRyPjx0ZD48L3RkPjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPg0KPGRpdj4NCjxjZW50
ZXI+DQo8dGFibGUgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIiB3aWR0aD0iMjgwIiBo
ZWlnaHQ9IjQwMCI+DQo8dHI+DQo8dGQgdmFsaWduPSJtaWRkbGUiIHN0eWxlPSJ2ZXJ0aWNhbC1h
bGlnbjptaWRkbGU7dGV4dC1hbGlnbjpsZWZ0OyIgY2xhc3M9Im1vYmlsZS1jZW50ZXIiIGhlaWdo
dD0iNDAwIj48dGFibGUgd2lkdGg9IjAwJSIgYm9yZGVyPSIwIj48dGJvZHk+PHRyPjx0ZD48L3Rk
Pjx0ZD48L3RkPjx0ZD48L3RkPjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPiA8L3RkPg0K
PC90cj4NCjwvdGFibGU+DQo8L2NlbnRlcj4NCjwvZGl2Pg0KPCEtLVtpZiBndGUgbXNvIDldPiA8
L3Y6dGV4dGJveD4gPC92OnJlY3Q+IDwhW2VuZGlmXS0tPjwvdGQ+DQo8L3RyPg0KPC90YWJsZT48
L2E+DQo8L3RkPg0KPC90cj4NCjwvdGJvZHk+DQo8L3RhYmxlPg0KDQo8b2w+PHA+PC9wPjwvb2w+
DQo8L2JvZHk+DQo8L2h0bWw+DQo=
if i have rules that can match the decoded body, but not work. My question is:
Is it possible to decode into TXT/HTML the encoded parts.?
Otherwise, how can the rule be applied to an encoded mail body?
Regards,
More information about the Users
mailing list